Troubled Ukrainian Host Sidelined

A Ukrainian Web hosting provider that, according to published reports, has long served as home base to a prolific and invasive family of malicious software has been taken offline following abuse reports from Security Fix to the company's Internet provider.

Since at least 2005, and perhaps earlier, an entity known as UkrTeleGroup Ltd. has hosted hundreds of Web servers that control a vast network of computers infected with some variant of "DNSChanger," according to security software vendor McAfee, which monitors worldwide malware. DNSChanger is a Trojan horse program that changes the host system's settings so that all of the Internet traffic flowing to and from the infected computer is sent through servers controlled by the attackers.

UkrTeleGroup has been sharing Internet address space with a customer of Miami-based FPL FiberNet LCC, a subsidiary of FPL Group, a publicly-traded (NYSE:FPL) company that claims roughly $15 billion in annual revenues. FPL is not accused of wrongdoing.

Tim Fitzpatrick, vice president of corporate communications at FPL Group, said the inquiry from Security Fix roughly coincided with a similar complaint from a company that FPL FiberNet purchases Internet bandwidth from, though he declined to name that entity.

"Coincident with your inquiry, we had received and were investigating a complaint from one of our service providers regarding UkrTelegroup," Fitzpatrick said. "We determined that one of our customers was providing Internet access to UkrTelegroup and have further determined that UkrTelegroup's activities violate our terms of use agreement. As a result, we have notified our customer that we are terminating its service."

Requests for comment sent to contact e-mail addresses listed by UkrTeleGroup's registration records went unheeded as of publication time.

Chris Barton, lead scientist at McAfee Avert Labs, said he recently discovered that many of the rogue DNS servers at UkrTelegroup were forwarding traffic on Internet address space owned by a company called "Internet Path," in Albany, N.Y.

Internet Path's stated address is a mail forwarding box at a UPS store in Albany.

I called Internet Path at the phone number provided in their registration records, and left a message. A few minutes later, a woman named Judy, who spoke with an Eastern European accent, called me back. Judy politely declined to give her last name or say definitively that she was located in New York.

Judy indicated that she worked at the company formerly known as UkrTeleGroup, and further indicated that the company had been renamed to Internet Path. She then asked me to submit any other questions or comments via e-mail.

The DNSChanger family of malware that made its home at UkrTeleGroup manipulates host systems in a fundamental way, by changing the DNS settings of the infected computer. Domain name system (DNS) servers act as a kind of Internet phone book, translating user-friendly Web site names like example.com into numeric online addresses that are easier for computers to process.

Most computer users rely upon the DNS servers assigned to them automatically by their Internet provider, but malicious software like DNSChanger can specify different DNS server addresses. Once planted on the victim's computer, those rogue DNS settings will override any settings the victim's ISP may supply, allowing attackers to exercise complete control of the user's Internet connection.

"In this Web 2.0 world, the ability for the attacker to manipulate DNS records is significant," said Dave Marcus, director of security research at McAfee Avert Labs. "If the DNS is compromised, the victim can type anything he wants into his browser, but the attacker can still send him wherever he wants the victim to go."

Given that level of control, the scammers behind DNSChanger could use it to intercept personal and financial data, by redirecting victims who try to visit banking and e-commerce sites to counterfeit versions of those sites erected to steal their information. But the authors of DNSChanger appear to have instead chosen a more low-key approach: Machines infected with DNSChanger will seem to only merely have a small subset of their Web searches hijacked.

As this video from Finnish security company F-Secure Corp. explains, if the user of a computer infected with DNSChanger surfs to a non-existent Web page, that user will be presented with seemingly random, ad-filled Web pages and pop-up ads chosen by the malware authors, traffic that ostensibly generates pay-per-click ad revenue for Trojan's authors.

The software also blocks infected computers from visiting security-related Web sites that might provide instructions and tools to help remove the malicious software. Among many sites blocked by the malware is Microsoft Update, which Microsoft uses to distribute software security updates to Windows PCs.

DNSChanger remains among the top threats facing computer users. According to Sunbelt Software, a computer security company based in Clearwater, Fla., the Trojan horse program was the tenth most commonly observed strain of malware in December 2008.

DNSChanger is most often distributed as a Web browser add-on that visitors to hacked or adult Web sites are told they need to install in order to view video content. But Patrick Jordan, a senior malware researcher at Sunbelt, said over the past year the Trojan has increasingly been bundled with "scareware," which uses fake security alerts to frighten consumers into paying for bogus computer security software.

There are several ways to detect if your machine is compromised with DNSChanger. One way is to check your system's DNS settings with a free tool such as HijackThis. If the DNS settings point to servers in the 85.255.X.X range, which are UkrTeleGroup's IP addresses, your machine is infected.

Also, if your system has scareware pop-ups bugging you to download or buy some security product, you most likely also have the DNSChanger on your computer.

Security experts have long urged companies to wholesale block access to any of the thousands of Internet addresses assigned to UkrTeleGroup. In February 2006, the SANS Internet Storm Center, which tracks hacking trends, urged network administrators worldwide to block traffic destined for or coming from UkrTeleGroup, saying the network was associated with "a number of high profile criminal activities."

Michael LaPilla, director of malicious code operations for iDefense, a Sterling, Va. based security intelligence firm, said it's difficult to find any sites that appear to be legitimate on UkrTeleGroup's network.

"Over the years, the number of Internet addresses [at UkeTeleGroup] associated with malicious activity has grown literally to thousands, so we can only recommend completely blocking the entire network," La Pilla said.

LaPilla said that, over the past week, more than four percent of the trouble tickets created by iDefense clients that experienced a malware infection or potential infection were the result of malicious software downloaded from Internet addresses assigned to UkrTeleGroup.

DNSChanger introduced some notable innovations in malware evolution. Originally developed to infect Microsoft Windows systems, DNSChanger morphed into a threat targeting Mac OS X users in November 2007.

In June 2008, new versions of DNSChanger began attempting to embed the rogue DNS servers in the victim's wired or wireless router, by trying the default passwords for each router model and then attempting to guess the user name and password by consulting a built-in list of the most commonly chosen credentials.

Last month, the DNSChanger authors added a new feature to their creation: the ability for one infected computer to hijack the DNS settings of virtually any nearby, Internet-enabled wireless device.

Unfortunately, shutting down UkrTeleGroup's Internet addresses may do little to stop the groups behind the DNSChanger Trojan. Sunbelt's Jordan said those responsible for DNSChanger appear to have begun moving to a new base of operations over the past few weeks, to a network in Latvia, called "Zlkon.lv."

I Wish someone would take out the RIPE Network in Amsterdam. Every suspicious email link I right-click and run by the FF add-on Shazou always shows a WHOIS for them, and the accompianing Google map shows the server to be in Russia or Eastern Europe. :(